Governments around the world are constantly trying to balance the data-privacy needs of tech companies with the surveillance needs of law enforcement and national security agencies. In the United Kingdom, the pendulum seemed to swing toward law enforcement Tuesday when Queen Elizabeth II signed off on a sweeping omnibus surveillance bill called the Investigatory Powers Act.
Unfortunately, Apple and other U.S. tech companies could suffer for it.
The Investigatory Powers Act, or IPA, can be read as the codification of many different kinds of data surveillance that U.K. officials have already been doing in secret. It also contains broad language that allows for new forms of data surveillance. Having these practices enshrined in law will make them far more resistant to court challenges, one expert told me.
Importantly, the new law classifies internet companies along with traditional telecom companies as “communications service providers,” enlisting their help in all sorts of surveillance activities—from gathering phone records to hacking into phones to capturing and storing bulk user data. Internet service providers will be asked to retain records on customer browsing history for a year. Furthermore, the law allows the government to create clearinghouses of searchable personal data gathered from many sources.
“It grants hacking powers to Britain’s security and intelligence services (including GCHQ, MI5, MI6, and military intelligence), as well as state and local police forces, and tax and customs authorities,” points out Danny O’Brien, international director of the Electronic Freedom Foundation.
While the IPA ostensibly deals with the U.K. government’s access to equipment and data within the U.K., the law describes scenarios where surveillance requirements are imposed on companies in other countries that do business in the U.K. While Apple doesn’t store user data in servers located in the U.K. (it has server farms in Ireland and Luxembourg), millions of British citizens use iPhones.
The language in the new law that is of most concern to Apple is about encryption. The IPA could provide the legal framework for a British government law enforcement agency to make a demand on Apple to create a hack into a single phone.
“The overall effect is a wide-ranging power for the Secretary of State to demand a business remove encryption based on an insufficiently robust process and without regard to the full effects, leaving the business with no effective means of appeal,” O’Brien says.
The new powers granted in the bill could create a scenario similar to the one earlier this year in which the FBI demanded that Apple create a software hack enabling access to data on the iPhone 5 used by San Bernardino gunman Syed Farook. Recall that Apple refused to provide a hack to the Farook phone on the grounds that creating a hack for one iPhone effectively means creating a hack to all iPhone 5’s.
However, the British government would be more likely to keep the existence of such a warrant secret, as well as its discussions with Apple. It would not bring the matter into open court as the FBI did, mobilizing a wave of public support for Apple among U.S. consumers and some lawmakers. Behind closed doors, the government may be able to exert more pressure on Apple to comply with a warrant.
Apple was concerned enough about the language in the IPA to submit testimony to the Parliament while the bill was being discussed and amended. Actually, many major companies submitted testimony, both jointly and individually.
“We believe it would be wrong to weaken security for hundred of millions of law-abiding customers so that it will also be weaker for the very few who pose a threat,” Apple attorneys said in the document.
“In this rapidly evolving cyber-threat environment, companies should remain free to implement strong encryption to protect customers,” the testimony reads.
For the purposes of data collection, the IPA enables the “intercept” (read: hacking) of many pieces of equipment at once. The government might demand that a company place “taps” in routers, servers, or other computers as part of a systematic bulk data-collection effort.
Such warrants would probably be served to traditional telecommunications providers (like phone companies) first, to collect bulk call information. In the past, the U.S. government secretly asked this of telecom companies AT&T and Verizon.
But the IPA goes further: It allows government agencies to serve warrants on providers of all internet communications. Apple is concerned that it might one day receive a demand to build a peephole through which U.K. law enforcement might collect data on FaceTime and iMessage users.
Apple says it is not defined as an “electronic communications service provider” in “relevant EU telecommunications law,” but thanks to the Brexit vote, the U.K. may soon not be answering to EU commissions or courts. Meanwhile the IPA’s definition of an electronic communications service provider extends to include “any service provider with a connection to U.K. consumers.” That could include Apple.
The power to conscript private companies to help in bulk data collection may be the IPA’s greatest power, but it might also be its greatest weakness, says Peter Fu, a data security expert and attorney at Cooper Levenson.
“One of the IPA’s primary goals is to establish a searchable general clearinghouse for the exchange of data by critical infrastructure industries (health, finance, agriculture, etc.) and government assets,” Fu says. “While the IPA calls for enhanced security standards, the transition from segmented and compartmentalized maintenance of sensitive data to general exchanges is going to necessarily require the utilization of mass data elements.”
“This presents bad actors and nation states with an attractive, albeit high-risk, target,” Fu adds.
The U.K.’s government appears to believe that companies have a duty to not only assist, but also to keep all surveillance work secret. The EFF’s O’Brien says the bill effectively puts a gag order on companies that receive a demand for help.
The new law also isn’t clear about how, and to whom, the warrants are to be delivered. For instance, O’Brien says, the government could serve a warrant on a U.K.-based employee (say, a systems administrator) of a U.S. firm, demand that they create a surveillance window into private user data, then demand that the employee not tell anyone—not even her higher-ups back in the United States.
“This is the first really expansive omnibus surveillance bill written post-Snowden,” O’Brien says. “You would expect a post-Snowden bill on surveillance might rein in or trim back in some way government surveillance powers. In fact, what the bill does is normalize and legitimize all the practices Snowden exposed.”
Apple isn’t setting off the alarm bells over the passage of the new law, but it’s paying close attention to the way it’s applied and enforced. While the U.K. is still part of the European Union, Apple might still appeal to EU courts if served with a warrant under the power of the IPA. Should the U.K. leave the EU, any face-off over encryption between Apple and the U.K. government would likely be mediated in a British court.